Stas, On Tue, Sep 18, 2012 at 1:09 PM, Stas Malyshev <smalys...@sugarcrm.com>wrote:
> Hi! > > > No it's not. A filter removes, but escaping lets the original content > > pass through unchanged, with the necessary in-band signalling to make > > sure that its content is not treated as in-band signalling. > > Again, you are confusing particular implementation of a particular > filter with the idea of filtering. Moreover, even existing filters do > not match your description: > No, he's not. Filtering and escaping are two very significant concepts in security. Just because PHP implemented some escaping concepts into the filter function does not mean that the concerns are co-related. > FILTER_SANITIZE_ENCODED, FILTER_SANITIZE_MAGIC_QUOTES, > FILTER_SANITIZE_SPECIAL_CHARS, FILTER_SANITIZE_FULL_SPECIAL_CHARS, > FILTER_SANITIZE_STRING, FILTER_CALLBACK > > But in general, look at implementation of filters anywhere - like Apache > filters or IIS filters - nowhere it is said that filter can only remove > data. > Actually, that's the basic definition of a filter (from a security context). Just because people implemented other things and called them filters does not make them filters in the context of this discussion. The other point that you seem to be missing is that filtering is generic for an application. You would apply the same filters for content that came in from an HTTP post as content that came in from a JSON API call. The data is what's filtered for your application. Escaping on the other hand is context dependent. You need a different form of escaping for each output type (HTML, HTML attribute, XML, XML attribute, XML processing instruction, JSON, database query, etc). So you cannot do a generic escaping like you can do a generic filtering. Escaping should be done as close to the edge as possible. Check out this post I did a while ago with a pretty drawn out section talking about the two concepts... http://blog.ircmaxell.com/2011/03/what-is-security-web-application.html Anthony
